What is multi-factor authentication?
It’s a mouthful — “multi-factor authentication.”
What does it mean and why should you care about it?
First of all, it’s kind of like a password on steroids.
It’s a way of verifying who you are —”authentication” — with many things instead of just one password. Many things, or “multiple factors.”
We get help in understanding cybersecurity terms from security professionals at Archer Security Group, parent company of Archer News, as part of our “What is…?” series.
Think about when you go to the ATM, for example.
“Most folks are accustomed to providing a password or passcode to access information or an ATM machine,” said Richard Shiflett with Archer Security Group.
That password or PIN is one factor that bank uses to make sure it’s you.
But you also need your bank card to make it work — another factor.
“Having both the card and the knowledge of the number is multi-factor (in this case two-factor) authentication,” said Shiflett.
The world is awash with data breaches and password thefts, so some sites and companies want to use more than just a password.
They want to use multi-factor authentication.
There are three factors that come into play, according to security experts.
One is your password, a piece of information that in theory only you know.
Another is something that — in theory — only you have, like your phone, your bank card or your driver’s license.
A third is something that is uniquely you, like your fingerprint, your retinal scan, etc.
Some sites may require you to use some or all of these things to get access.
“Using just one factor of authentication can lead to mistakes,” said Jim Feely with Archer Security Group.
“Someone can guess another person’s password,” he explained. “Someone can forge an ID.”
You use it in real life
You use multi-factor authentication when you spot your friend in a grocery store.
“You can very quickly see that your friend recognizes you, you can see her face, you recognize how she waves, you recognize the coat she always wears,” Feely said. “You’re very quickly putting together several observations and using them to identify her.”
But sometimes you jump the gun and use fewer factors.
“I think most of us have had the experience of going shopping with someone, splitting up to do separate things, finding them later, walking up behind them, starting to talk to them, and being shocked and embarrassed when they turn around revealing the face of a stranger!” Feely explained.
Maybe the stranger was wearing the same leather jacket as your friend, or had the same haircut.
“The problem was you just didn’t have enough information about the stranger, and you thought it was your friend,” Feely added. “The same challenge happens on computers and over the Internet.”
You use it online
You may be using multi-factor authentication right now on the Internet and not even know it.
For example, some banks are using information from your phone sensors to see how you usually hold your phone.
If someone else grabs your phone and tries to log onto your bank account, the sensors could show a different kind of movement — a red flag.
But many times, multi-factor authentication is a choice. And many people are not choosing it.
How it can work
Google offers what it calls 2-Step Verification for your Gmail and other Google accounts. That’s a version of multi-factor authentication.
“2-Step Verification can help keep bad guys out, even if they have your password,” Google said on its site.
“2-Step Verification can help keep bad guys out,” Google says. Image credit: Google
If you turn on 2-Step Verification, you’ll have to take an extra step when you sign on to a new computer.
“Whenever you sign in to Google, you’ll enter your password as usual,” the site said.
But Google will also ask you for something else.
“Then, a code will be sent to your phone via text, voice call, or our mobile app,” Google said.
You’ll need to enter that code as well to get onto your account.
Once you get in, you can say that you don’t want to go through that process again on your computer, or you can decide to do it every time.
“During sign-in, you can choose not to use 2-Step Verification again on that particular computer. From then on, that computer will only ask for your password when you sign in,” the site said. “You’ll still be covered, because when you or anyone else tries to sign in to your account from another computer, 2-Step Verification will be required.”
Google shows how its two-step verification process works. First you sign in with your user name and password, then you receive a code via phone or other means to enter as well. Image credit: Google
Do you really need it?
It’s a good idea, security experts say.
New research from the Federal Trade Commission showed just how quickly and easily bad guys can cause you trouble.
The FTC created 100 fake people, with fake names, passwords, credit card numbers and more, according to information the agency released today.
Some of the fake information the FTC posted to see what thieves would do. Image credit: FTC
They posted the information on a site that thieves often scour for victims.
In one case, the crooks tried to steal people’s data in less than ten minutes.
They went on to get into their e-mail and payment accounts, as well as trying to rack up charges on their credit cards.
They attempted more than $12,000 in illegal charges in two weeks, including clothes, pizza and online dating services.
Did anything hold them back? Two-factor authentication, said the FTC.
“Well, in this study, two-factor authentication prevented thieves from gaining access to the accounts,” wrote the FTC’s Ari Lazarus in a post about the research today. “Because these thieves did not have access to the second factor, they were unable to access the accounts. It’s not a cure-all, but it can help.”
Researchers posted fake personal information about 100 people and said crooks tried to steal it in 1.5 hours for the first posting & 9 minutes for the second. Image credit: FTC
How to start
You may want to start using multi-factor authentication on your accounts.
It’s not always easy to find, because different companies call it different things, pointed out the Electronic Frontier Foundation.
Some call it 2FA, short for “two-factor authentication.”
PayPal calls it a “Security Key.”
Facebook calls it “Login Approvals.”
Twitter calls it “Login Verification.”
Bank of America calls it “SafePass.”
Amazon calls it “Two-Step Verification.”
The Electronic Frontier Foundation guide shows you how to set up multi-factor authentication on your accounts, step by step.
Some companies allow you to buy a security key to plug into your computer instead of typing in a code from your phone. Image credit: Yubico
“Traditionally, the general public has just been using username and passwords for authentication because it’s cheap and doesn’t require special devices or sensors,” Feely said.
But that has changed. And you can be more secure. It’s your choice.
“We should expect to see multi-factor authentication use continue to increase as the public’s expectation for better security increases and the cost of implementation decreases,” said Feely.
See also “What is cybersecurity?”, “What is a DDoS?”, “What is ransomware?”, “What is IoT?”, “What is a firewall?”, “What is encryption?”, “What is malvertising?” and “What is a password manager?” from Archer News.